Ok, here’s the story.I just inherited a network that I’m still in the midst of learning all of its nuances like, it was migrated from a 2003 SBS server/domain to a win2k8 standard domain.

Well, recently I configured some OU’s to help me manage some of the desktops.In doing so, I moved these computers from the default “computer” OU into the vista OU and XP OU.

I then applied several policies where I was turning off the windows firewall on these systems while they were on the network/domain, allowing all of the local users to logon locally, allow RDP sessions to take place on these systems.

And thenBLAM!All of the computers (Mostly Vista Ultimate machines) started to lose their computer account associations (just like their computer accounts were deleted, but were still there).These systems can’t access the shared resources on the network, outlook squawks about having to pass network credentials, and in some systems it’s was calling for proxy modifications (when we don’t run a proxy here).

You may ask; did this happen to all versions of Vista machines we run here… no!Seems like it’s just Ultimate that’s having issues.

My workaround was to: re-add the computer/account back to the domain.You know the deal; change from domain member over to a workgroup member then reboot, then from workgroup to domain member and viola! Up and running again….

So this leads me to the question where I am sure there is some Vista genius out in the community that will go DUH!You did such and such by applying said GPO or you jacked things up by moving them from one OU to another… or Vista Ultimate has this feature and my changes whacked it more than expected and here is the fix.

So if you have a moment or happened to have experienced this firsthand and know why it happened, please let me know!!Thanks!

3 Replies

I don´t think it´s a GPO issue. But to figure THAT out you would have to post all your GPOs with all preferences that are affecting your Vista machine (and all of the GPOs on above OUs and the default domain OU ;-)

If you say the domain has changed from one DC to another, maybe you have a time sync issue. Check if affected machines have the correct time from the new W2k8 DC.

Imba! Thanks for the input; I just wanted to update this post for peace of mind more than anything… because I sure in the heck feel like I am losing my mind!

I began by trying to see what actually caused my issue by searching the web for possible similar instances and came across a post on Mark Russinovich's technet blog where he was speaking about circumventing Group policies and in this blog he speaks about regmon and tracing it down to a registry entry that would need to be altered to circumvent the policy.So this leads me to using Procmon and figuring out which registry key was preventing my accessing the network (BTW side note, vista was complaining about its network location as being unauthorized and asked if I wanted to run diagnostics on my network connections {of course I did, I always do what MS asks}, which actually returned a status of my firewall outbound rules were restricting my network access and that I needed to modify them).

Short story long, I come to find out it was the windows firewall settings (that I applied with the group policies) within the registry which caused all outbound communication to be blocked. (Which also made it difficult to do a gpupdate to apply or remove all managed vista firewall policies) so I would have to continue to juggle computer domain accounts and get over my OPPS!But then I received a call from a user who was on the road and couldn’t get any network connectivity let alone contact the domain for policy updates or be part of the domain computer account juggling act all because she received an update of the policy while on the road.

So, my logic lead me to whacking the branch of the registry (backed it up first) where the firewall policy was being enforced (ran this on a test system in my lab where I had the similar situation happening).After doing so, I rebooted the system and I no longer had group policy managed firewall settings and I was again capable of getting network access, and network resources along with re-synching my computer credentials with the domain (no more needing to do the computer account juggling).

So I was like, wheeeewwww… I just might make it! So we worked though this with the remote user and for whatever reasons it didn’t work out right out of the blocks as expected (or like it did in the lab, like it ever does).So back to the lab to see if I could replicate this again. I began with re-applying my registry whacks back into my system (merged my reg files from my backed up copies) and found out that I could still talk to the network even after a reboot.So I moved that computer account back into the OU where this policy would be applied and BAM!It happened again.So I thought that I was going to be able to Procmon this system to see if I missed a registry entry that was causing my road warriors problem… well I didn’t see anything more than I did the first time.So I restarted the system again and when I was back at the desktop window I noticed that all of the networked apps that sit in the system tray were talking to their network resources… did this mean that my firewall was off? Come to find out that I was once again getting managed firewall settings via the policy however, I was capable of accessing the network and its resources the domain and the internet. (Feel like I’m loosing my mind)

Short story even longer… my road warrior sends me an email this morning saying that she has network connectivity and seems to be good to go.(lost my mind totally, TGIF!!) Anyway, what did I take from all of this… I took that MS and the windows gods are evil and they don’t pay me enough to finger this all out..!